WHAT IS CLAIMED IS 



1. A method for communicating in a distributed computing environment, 
5 comprising: 

a client accessing an authentication service to obtain an authentication credential 
to use a first service; 

10 said client sending a first message to said first service, wherein said first message 

includes said authentication credential; 

said first service using said authentication service to authenticate said 



authentication credential received in said first message; and 



! AJ 15 

ru 

py said first service responding to said first message if said authentication credential 

" in said first message is determined to be authentic as from said client. 

Ly 2. The method as recited in claim 1, further comprising said client obtaining an 

S 20 address for said authentication service from an advertisement for said first service, 

-3 wherein said accessing an authentication service comprises said client sending a message 

to said address for said authentication service requesting said authentication credential to 

use said advertised first service. 

25 3. The method as recited in claim 2, wherein said advertisement for said first service 
includes a data representation language schema defining a message interface for accessing 
said first service. 

4. The method as recited in claim 3, wherein said first message corresponds to a 
30 message defined in said data representation language schema. 
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5. The method as recited in claim 4, further comprising said client sending additional 
messages to said first service to use said first service, wherein said authentication 
credential is included with each one of said additional messages, and wherein each one of 

5 said additional messages is defined by said data representation language schema. 

6. The method as recited in claim 5, wherein said data representation language 
schema is an extensible Markup Language (XML) schema. 

10 7. The method as recited in claim 1, further comprising: 



8. The method as recited in claim 7, further comprising: 

said client sending a request message to said first service to access a capability of 



determining client capabilities for said client, wherein said client capabilities are 
capabilities of said first service that said client is permitted to use; and 



15 



binding said client capabilities to said authentication token. 



20 



said first service, wherein said request message includes said 



authentication credential; 



said first service determining that the capability requested in said request message 
is within said client capabilities; and 



25 



said first service fulfilling said request message only if the capability requested in 
said request message is within said client capabilities. 
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9. The method as recited in claim 7, wherein said determining client capabilities 
comprises said client accessing an access policy service to obtain a capability token 
indicating which capabilities of said first service said client is permitted to access. 

5 10. The method as recited in claim 9, wherein said authentication service and said 
access policy service are combined as a single service and wherein said capability token 
is included within said authentication credential. 

11. The method as recited in claim 7, wherein said determining client capabilities is 
10 performed by said first service. 

12. The method as recited in claim 1, further comprising said client generating a 
message gate for accessing said first service, wherein said message gate sends request 
messages from said client to said first service to access said first service, and wherein said 

15 message gate includes said authentication credential in each message to said first service. 

13. The method as recited in claim 12, further comprising said client obtaining a 
service advertisement for said first service before accessing said first service, wherein 
said service advertisement comprises an address for said authentication service and an 

20 address for said first service. 

14. The method as recited in claim 13, wherein said service advertisement further 
comprises a data representation language schema defining a message interface for 
accessing said first service, wherein said message gate verifies that each message sent 

25 from said client to said first service complies with said data representation language 
schema. 

15. The method as recited in claim 1, wherein said authentication service is a 
separately addressable service from said first service. 

30 
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16. The method as recited in claim 1, wherein said client accessing an authentication 
service to obtain an authentication credential to use a first service comprises said 
authentication service returning said authentication credential to said client only if said 
client is authorized to access said first service. 

17. A method for communication in a distributed computing environment, 
comprising: 

a client obtaining a service advertisement for a first service, wherein said service 
advertisement includes an address for an authentication service; 

said client sending a request message to said authentication service to obtain an 
authentication credential to use said first service; 

said client generating a message gate for accessing said first service, wherein said 
message gate embeds said authentication credential in every message from 
said client to said first service; and 

said client accessing said first service through said message gate. 

18. The method as recited in claim 17, wherein said service advertisement further 
comprises a data representation language schema defining a message interface for 
accessing said first service, the method further comprising said message gate verifying 
that every message sent from said client to said first service complies with said data 
representation language schema. 

19. The method as recited in claim 18, wherein said data representation language 
schema is an extensible Markup Language (XML) schema and said messages from said 
client to said first service are XML messages. 
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20. The method as recited in claim 17, further comprising said first service using said 
authentication service to determine if said authentication credential received in a first 
message from said client is authentic. 

21. The method as recited in claim 20, further comprising, after authenticating said 
authentication credential received in said first message from said client, said first service 
determining which capabilities of said first service said client is authorized to use, 
wherein said first service responds to a request message from said client only if said 
request message is for an authorized capability for said client. 

22. The method as recited in claim 21, further comprising said first service binding a 
determination of which capabilities of said first service said client is authorized to use to 
said authentication credential so that said first service does not need to repeat said 
determining which capabilities of said first service said client is authorized to use. 

23. The method as recited in claim 20, further comprising said first service noting 
whether or not said authentication credential is authentic so that said first service does not 
need to repeat said using said authentication service to determine if said authentication 
credential received in a first message from said client is authentic. 

24. The method as recited in claim 17, wherein said service advertisement for said 
first service further includes an address for accessing said first service, wherein said 
authentication service and said first service are separate services within the distributed 
computing environment. 

25. The method as recited in claim 17, wherein said service advertisement further 
includes a service identifier token for said first service, wherein said client sending a 
request message to said authentication service to obtain an authentication credential 
comprises sending said service identifier token and a client identifier token to said 
authentication service. 
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26. The method as recited in claim 25, wherein said authentication service generates 
said authentication credential from said client identifier token and said service identifier 
token. 

27. A client device configured to: 

access an authentication service to obtain an authentication credential to use a first 
service; 

send a first message to said first service, wherein said first message includes said 
authentication credential, wherein said first service is configured to use 
said authentication service to authenticate said authentication credential 
received in said first message; and 

receive a response to said first message from said first service if said 
authentication credential in said first message is determined to be authentic 
as from said client device. 

28. The client device as recited in claim 27, further configured to: 

obtain an address for said authentication service from an advertisement for said 
first service; 

wherein, in said accessing an authentication service, the client device is further 
configured to: 

send a message to said address for said authentication service requesting 
said authentication credential to use said advertised first service. 
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29. The client device as recited in claim 28, wherein said advertisement for said first 
service includes a data representation language schema defining a message interface for 
accessing said first service, and wherein said first message corresponds to a message 
defined in said data representation language schema. 

30. The client device as recited in claim 29, further configured to send additional 
messages to said first service to use said first service, wherein said authentication 
credential is included with each one of said additional messages, and wherein each one of 
said additional messages is defined by said data representation language schema. 

31. The client device as recited in claim 29, wherein said data representation language 
schema is an extensible Markup Language (XML) schema. 

32. The client device as recited in claim 27, further configured to: 

determine client capabilities for said client device, wherein said client capabilities 
are capabilities of said first service that said client device is permitted to 
use; and 

bind said client capabilities to said authentication token. 

33. The client device as recited in claim 32, further configured to: 

send a request message to said first service to access a capability of said first 
service, wherein said request message includes said authentication 
credential; 

wherein said first service is configured to fulfill said request message only if said 
first service determines that the capability requested in said request 
message is within said client capabilities. 
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34. The client device as recited in claim 32, wherein, in said determining client 
capabilities, the client device is further configured to access an access policy service to 
obtain a capability token indicating which capabilities of said first service said client is 
permitted to access. 

35. The client device as recited in claim 34, wherein said authentication service and 
said access policy service are combined as a single service, and wherein said capability 
token is included within said authentication credential. 

36. The client device as recited in claim 27, further configured to generate a message 
gate for accessing said first service, wherein said message gate sends request messages 
from said client to said first service to access said first service, and wherein said message 
gate includes said authentication credential in each message to said first service. 

37. The client device as recited in claim 36, further configured to: 

obtain a service advertisement for said first service before accessing said first 
service, wherein said service advertisement comprises a data 
representation language schema defining a message interface for accessing 
said first service; 

wherein said message gate is configured to verify that each message sent from 
said client device to said first service complies with said data 
representation language schema. 

38. The client device as recited in claim 27, wherein, in said accessing an 
authentication service to obtain an authentication credential to use a first service, the 
client device is further configured to receive from said authentication service said 
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authentication credential only if said client device is authorized to access said first 
service. 

39. The client device as recited in claim 27, wherein said authentication service and 
said first service are configured to execute within a service device, and wherein said 
client device is further configured to couple to said service device via a network. 

40. The client device as recited in claim 27, wherein said client device is further 
configured to couple to a network via a wireless connection. 

41. The client device as recited in claim 27, 

wherein said authentication service is configured to execute within an 
authentication server; 

wherein said first service is configured to execute within a service device; and 

wherein said client device, said service device, and said authentication server are 
separate devices comprised in a distributed computing environment. 

42. The client device as recited in claim 27, wherein said first service is configured to 
execute within said client device. 

43. A service device configured to: 

receive from a client a first message including an authentication credential, 
wherein said client accesses an authentication service to obtain said 
authentication credential to use said service device; 
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use said authentication service to authenticate said authentication credential 
received in said first message; and 

respond to said first message if said authentication credential in said first message 
is determined to be authentic as from said client. 

44. The service device as recited in claim 43, further configured to provide to said 
client an advertisement for said service device, wherein said advertisement includes a 
data representation language schema defining a message interface for accessing said 
service device. 

45. The service device as recited in claim 44, wherein said first message corresponds 
to a message defined in said data representation language schema. 

46. The service device as recited in claim 45, further configured to receive additional 
messages from said client to use said service device, wherein said authentication 
credential is included with each one of said additional messages, and wherein each one of 
said additional messages is defined by said data representation language schema. 

47. The service device as recited in claim 44, wherein said data representation 
language schema is an extensible Markup Language (XML) schema. 

48. The service device as recited in claim 43, further configured to: 

determine client capabilities for said client, wherein said client capabilities are 
capabilities of said service device that said client is permitted to use; and 

bind said client capabilities to said authentication token. 

49. The service device as recited in claim 43, further configured to: 
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receive from said client a request message to access a capability of said service 
device, wherein said request message includes said authentication 
credential; 

determine that the capability requested in said request message is within said 
client capabilities; and 

fulfill said request message only if the capability requested in said request 
message is within said client capabilities. 

50. The service device as recited in claim 43, wherein said client is configured to 
execute within a client device, and wherein said service device and said client device are 
separate devices comprised in a distributed computing environment. 

51. A distributed computing system, comprising: 
a client device; and 

a service device; 

wherein said client device is configured to: 

access an authentication service to obtain an authentication credential to 
use said service device; and 

send a first message to said service device, wherein said first message 
includes said authentication credential; and 

wherein said service device is configured to: 
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use said authentication service to authenticate said authentication 
credential received in said first message; and 

respond to said first message if said authentication credential in said first 
message is determined to be authentic as from said client. 

52. The system as recited in claim 51, 

wherein the service device is further configured to provide to said client device an 
advertisement for said service device, wherein said advertisement includes 
a data representation language schema defining a message interface for 
accessing said service device; 

wherein the client device is further configured to obtain an address for said 
authentication service from said advertisement for said service device; and 

wherein, in said accessing an authentication service, the client device is further 
configured to send a message to said address for said authentication 
service requesting said authentication credential to use said advertised 
service device. 

53. The system as recited in claim 52, wherein said advertisement for said service 
device includes a data representation language schema defining a message interface for 
accessing said service device, wherein said first message corresponds to a message 
defined in said data representation language schema. 

54. The system as recited in claim 53, wherein the client device is further configured 
to send additional messages to said service device to use said service device, wherein said 
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authentication credential is included with each one of said additional messages, and 
wherein each one of said additional messages is defined by said data representation 
language schema. 

55. The system as recited in claim 53, wherein said data representation language 
schema is an extensible Markup Language (XML) schema. 

56. The system as recited in claim 51, wherein said authentication service is 
configured to execute within said service device. 

57. The system as recited in claim 51 , 

wherein said authentication service is configured to execute within an 
authentication server; and 

wherein said client device, said service device, and said authentication server are 
separate devices comprised in a distributed computing environment. 

58. A distributed computing system, comprising: 
a client device; 

a service device; 

wherein said client device is configured to: 

obtain a service advertisement for said service device, wherein said service 
advertisement includes an address for an authentication service; 
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send a request message to said authentication service to obtain an 
authentication credential to use said service device; 

generate a message gate for accessing said service device, wherein said 
5 message gate is configured to embed said authentication credential 

in every message from said client device to said service device; and 

access said service device through said message gate. 

10 59. The system as recited in claim 58, 

wherein said service advertisement further comprises a data representation 
language schema defining a message interface for accessing said service 
device; and 

15 

wherein said message gate is further configured to verify that every message sent 
from said client device to said service device complies with said data 
representation language schema. 

20 60. The system as recited in claim 59, wherein said data representation language 
schema is an extensible Markup Language (XML) schema and said messages from said 
client device to said service device are XML messages. 

61. The system as recited in claim 58, wherein said service device is configured to: 

25 

use said authentication service to determine if said authentication credential 
received in a first message from said client device is authentic; 

determine which capabilities of said service device said client device is authorized 
30 to use; and 
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• # 

respond to said first message from said client device only if said first message is 
for an authorized capability for said client device. 

62. A carrier medium comprising program instructions, wherein the program 
instructions are computer-executable to implement: 

a client accessing an authentication service to obtain an authentication credential 
to use a first service; 

said client sending a first message to said first service, wherein said first message 
includes said authentication credential; 

said first service using said authentication service to authenticate said 
authentication credential received in said first message; and 

said first service responding to said first message if said authentication credential 
in said first message is determined to be authentic as from said client. 

63. The carrier medium as recited in claim 62, wherein the program instructions are 
further computer-executable to implement: 

said client obtaining an address for said authentication service from an 
advertisement for said first service; 

wherein, in said accessing an authentication service, the program instructions are 
further computer-executable to implement: 
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said client sending a message to said address for said authentication 
service requesting said authentication credential to use said 



advertised first service. 



5 64. The carrier medium as recited in claim 63, wherein said advertisement for said 
first service includes a data representation language schema defining a message interface 
for accessing said first service, wherein said first message corresponds to a message 
defined in said data representation language schema. 

10 65. The carrier medium as recited in claim 64, wherein said data representation 
language schema is an extensible Markup Language (XML) schema. 

66. The carrier medium as recited in claim 62, wherein the program instructions are 
further computer-executable to implement: 



15 



determining client capabilities for said client, wherein said client capabilities are 
capabilities of said first service that said client is permitted to use; and 



binding said client capabilities to said authentication token; 



20 



said client sending a request message to said first service to access a capability of 
said first service, wherein said request message includes said 
authentication credential; 



25 



said first service determining that the capability requested in said request message 
is within said client capabilities; and 



said first service fulfilling said request message only if the capability requested in 
said request message is within said client capabilities. 



30 
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67. The carrier medium as recited in claim 62, wherein the program instructions are 
further computer-executable to implement: 

said client generating a message gate for accessing said first service; 

5 

said message gate sending request messages from said client to said first service to 
access said first service, wherein said message gate includes said 
authentication credential in each message to said first service. 

10 68. The carrier medium as recited in claim 67, wherein the program instructions are 
further computer-executable to implement: 

said message gate verifying that each message sent from said client to said first 
service complies with a data representation language schema, wherein said 
15 data representation language schema defines a message interface for 

accessing said first service 

69. A carrier medium comprising program instructions, wherein the program 
instructions are computer-executable to implement: 

20 

a client obtaining a service advertisement for a first service, wherein said service 
advertisement includes an address for an authentication service; 

said client sending a request message to said authentication service to obtain an 
25 authentication credential to use said first service; 

said client generating a message gate for accessing said first service, wherein said 
message gate embeds said authentication credential in every message from 
said client to said first service; and 

30 
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said client accessing said first service through said message gate. 

70. The carrier medium as recited in claim 69, wherein said service advertisement 
further comprises a data representation language schema defining a message interface for 
5 accessing said first service, and wherein the program instructions are further computer- 
executable to implement: 



71. The carrier medium as recited in claim 70, wherein said data representation 
language schema is an extensible Markup Language (XML) schema and said messages 
from said client to said first service are XML messages. 

15 72. The carrier medium as recited in claim 69, wherein the program instructions are 
further computer-executable to implement: 



said message gate verifying that every message sent from said client to said first 
service complies with said data representation language schema. 



10 



said first service using said authentication service to determine if said 
authentication credential received in a first message from said client is 



20 



authentic; 



said first service determining which capabilities of said first service said client is 



authorized to use; and 



25 



said first service responding to said first message from said client only if said first 
message is for an authorized capability for said client. 
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